Sometimes, misconfigured servers and unsecured databases go unnoticed until security researchers report about them. Bob Diachenko, Head of Security Research at Comparitech, recently discovered an unsecured Elasticsearch server containing a terrorist watchlist of over 1.9 million records. The server was left online without any password protection, allowing anyone to access the information.
Diachenko stated that the watchlist belongs to the Terrorist Screening Center (TSC), an FBI multi-agency group. The TSC maintains a watchlist of suspected terrorists and no-fly members, which is a subset of a larger watchlist. Officials are authorized to access the watchlist and perform terrorist screening.
The exposed records contained confidential information such as full names, TSC watchlist ID, citizenship, gender, birthdates, passport number, country of issuance, and no-fly indicator. The database is now secured after Diachenko reported the issue to the Department of Homeland Security (DHS).
Apparently, this is the TSC (Terrorist Screening Centre) dataset publicly exposed (tsc_id is the only clue), with 1.9M+ records. In any case, any thoughts as of where to responsibly report? pic.twitter.com/e31pSrHnoM
— Bob Diachenko (@MayhemDayOne) July 19, 2021
Potential Risks Involved
While search engines like Censys and ZoomEye indexed the leaky server, Diachenko stated that he is unsure if any unauthorized party has accessed it. Since the exposed data belongs to the people suspected as terrorists, there could be severe repercussions if the data falls into the wrong hands.
“The terrorist watchlist is made up of people who are suspected of terrorism but who have not necessarily been charged with any crime. In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list,” Diachenko said in a post.
Speaking exclusively with CISO MAG, Diachenko said, “While it is unknown what party was responsible for the exposure of this watchlist, one thing is clear – no matter what size is your organization and how well established is your security posture, there should always be a place for additional checkups using quite simple cyber hygiene rules.”